Helen Brown Group

By

Data Privacy (Part 2): Practical Tips and Better Practices

This week we get the second half of a two-parter on data protection and legal compliance from HBG’s Jessica Woodbridge. Although it may not seem the most scintillating of topics, data compliance is an incredibly important topic to stay on top of, especially now when there is pending legislation that could impact our sector on the docket. If you missed Michele Borucki’s part-one article last week establishing where we are and how we got here, please take a minute to do so before forging ahead today. Then, come back with a notebook to save Jessica’s tips for making sure that your nonprofit’s data compliance checklist is up to date. ~Helen

Jessica Woodbridge

Jessica Woodbridge

Being a good steward of data is not just a good idea, it’s a legal necessity. Nonprofits process donor information on a regular basis, and with this comes the responsibility of understanding the information you hold as well as how to maintain it in the most secure way.

As my colleague, Michele Borucki, mentioned in last week’s Intelligent Edge article, there have been 15 states that have passed comprehensive consumer data privacy laws since 2018 and there are even more to come. There’s also federal legislation pending that could bring consumer data privacy to the federal level if passed. This all goes to say that as data grows in our world, so must we adapt and learn how to be compliant with data security and protection laws.

Here are some practical tips and best practices you can use in your shops to ensure you are protecting your constituents’ information as well as your organization:

Applicability: 

  • Understand your data.
  • What type of data gets stored?
  • Where is your data stored?
  • How is your data shared?
  • Who is your data shared with and how are they using it?
  • Determine which, if any, consumer data privacy laws apply to your organization.

Data Minimization: 

  • “The principle of ‘data minimisation’ means that a data controller should limit the collection of personal information to what is directly relevant and necessary to accomplish a specified purpose.” – European Data Protection Supervisor.
  • Review the APRA Data Minimization Toolkit.
  • Provide training to your team on best practices for what to add in contact reports, notes, proposals, and other data points in your CRM system (such as inactivating old records/divorced persons).

Better Practices: 

  • Share research through secure methods.
  • Review your organization’s privacy policy.
  • Practice data minimization.
  • Follow the stands of ethics set by Apra and the Association of Fundraising Professionals.
  • Use industry-standard, publicly available resources.
  • Provide training for your colleagues.

GDPR-Specific: 

GDPR is based on geography, not citizenship; it pertains to any individual who has a residence (of any kind) in the EU and UK.

Create a GDPR-compliant research template:

  • Do not use a photo of the prospect.
  • Do not include country of birth.
  • Include education if it is provided by client or found on LinkedIn, corporate bio, or donor report listing class year.
  • Include business information if it is found on LinkedIn, corporate bio, or donor report listing class year.
  • Only include children’s names if supplied by client or public document over the age of 16.
  • Only include parent information if found in newspaper or public document.
  • Only include sibling information if found in newspaper or public document.
  • Do not use sources like Facebook.
  • Tag GDPR research so it can be sorted and easily deleted.
  • Delete research after 6 months.

Stay Informed/Resources: 

Does your organization have someone who tracks data privacy laws? Here are a few examples of positions that would be able to assist your organization on data compliance:

  • Information technology consultants who can review your data security measures and help train your staff on implementation.
  • Nonprofit compliance experts who can ensure your organization follows key regulations, properly registers to solicit and files all necessary reports by their due dates.
  • Outsourced accountants who can assist in strengthening policies and procedures as well as compiling the financial data you need for effective reporting.

Protecting the rights of our clients and their constituents is of the utmost importance and is always at the forefront of our minds. By using best practices, following your organization’s legal guidelines, and generally being good stewards of data, you can ensure data compliance is being met. It takes all of us to take the necessary step to maintain data compliance and having the highest standards.

By

Data Privacy: Where We’ve Been and Where We are Going

This week on The Intelligent Edge we welcome Director of Research Michele Borucki to share a brief history of data protection laws in the United States, where they are headed in the near future, and how they’ll impact our nonprofits. It’s a great foundational part one of two, because next week our colleague Jessica Woodbridge will take up the topic, providing lots of resources to help your nonprofit learn and stay compliant. Michele and Jessica will be sharing their knowledge on the topic at the upcoming NEDRA conference in New Haven, May 2-4 – hope to see you there! ~Helen

Michele Borucki

Michele Borucki

Here at the Helen Brown Group, we’ve talked a lot over the years about data privacy laws that have impacted our work in the prospect development field. We’ve published in-depth blog posts, continue to share up to date resources with our wonderful community, and many of us on the team have created and executed webinars and presentations on the topic.

The one thing we haven’t done yet here on the Intelligent Edge is share with you the nuts and bolts of how we as a firm protect not only our clients’ information, but that of the constituents that they entrust us with on a daily basis.

Next week, my colleague Jessica Woodbridge will be sharing some awesome tips and tricks that we use (and you can too!) to make sure your shop is compliant with data security and protection laws. Before we get into that, please indulge me in a brief history of data privacy, what laws we already have in place here in the US, and what’s on the horizon.

The most famous of the privacy laws, the General Data Protection Regulation or GDPR, has only been in existence since 2018, but its roots go back much further. Where did the idea of data privacy come from?

In 1890 two US lawyers, Samuel D. Warren and Louis Brandeis, (Yup! That Brandeis) wrote a Harvard Law Review article called The Right to Privacy, arguing for the “right to be left alone” and using the phrase as a definition of privacy. Obviously, the type of data has since changed from the 1800’s with the evolution of technology, but even back in 1948 when the Universal Declaration of Human Rights was adopted (including the 12th fundamental right, i.e. the Right to Privacy) lawmakers understood that all humans and their information have the right to be protected.

The US hasn’t adopted a universal consumer data privacy law yet. Many iterations have been drafted and proposed, even as recent as earlier this month with the bipartisan American Privacy Rights Act. So far, only 15 states have passed comprehensive consumer data privacy laws: California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Montana, New Hampshire, New Jersey, Oregon, Tennessee, Texas, Utah, and Virginia. Six of those states have laws that have gone into effect: California, Colorado, Connecticut, Florida, Virginia and Utah. And in 2024, we will see laws in Montana, Oregon, and Texas go into effect.

These laws are only applied to for-profit companies, but Colorado’s consumer data privacy law is the first to apply to nonprofits. Oregon and Delaware’s laws (both of which will go into effect in 2025) will also apply to nonprofits.

In the case of Colorado, “an organization must have personal data on 100,000 or more Coloradans; or receive revenue or discounts from the sale of data (e.g., list rental and exchange) and have data for 25,000 or more Coloradans”. Even if your state is not yet on this list, if you are a business or nonprofit with a certain number of consumers/constituents from Colorado (or any state that passes a privacy law including nonprofit data management) this applies to you.

One of the main commonalities among these laws is that they give individuals the power to control their own information. At the same time, companies and organizations are responsible for being good pillars of data collection. Across the board, the following themes exist for consumer rights:

  • Right to access
  • Right to correct
  • Right to delete
  • Right to opt out of certain processing
  • Right to portability
  • Right to opt out of sales
  • Right to opt in for sensitive data processing
  • Right against automated decision-making
  • Private right of action

There are so many ways we can unintentionally do harm when it comes to data privacy. As nonprofits it’s important to understand what we can do to make sure that we are caring for our constituents’ personal information. Stay tuned for next week’s post and Jessica’s strategies for making sure your organization is  on the right track and complying with current and future privacy laws.

 

By

GDPR comes to America – the CaCPA

Photo by Ed Uthman from Flickr

When the European General Data Protection Regulation went into effect this past May, I’d hazard a guess that a majority of the medium-to-largest charitable organizations in the UK and Europe were on the motorway to compliance if not already there.

Here in the United States, not so much. The folks at most of the very large nonprofits that I spoke with were somewhere on the compliance road, but the medium-to-small nonprofits were either unaware of the regulation, uncomfortable about their compliance, or uneasily going with the plan that GDPR didn’t apply to them.

There’s a new law in town

Any feelings of privacy-law-compliance comfort that database administrators may have had is about to change. A new privacy law was passed in California this summer that will ripple across the country in 2020. It will affect companies and nonprofits nationally – and internationally. [Read more…]

By

GDPR and you

This week’s article comes in the form of a podcast that I just recorded with two of the most knowledgeable and generous GDPR-whisperers that I know in the fundraising community, Adrian Beney of More Partnership and Nicola Williams of The Factary.

Click image to access the podcast

Both Adrian and Nicola have been researching and consulting with other experts to understand the law for months, and they’ve written many articles, have been speaking at loads of professional conferences, and have provided useful resource lists for all of us to find guidance on the General Data Protection Regulation that comes into effect on May 25th. If the rest of us are not up on the new regulation, it’s not through any lack on their part to get the word out.

But because of that, they’re very busy people, so I was especially excited when they both said yes to a podcast interview. I know that you’re going to find the conversation we had to be well worth your time. I’m sincerely grateful to them for their generosity to our community, and for their willingness to be a resource to help nonprofits in the US figure all of this out.

GDPR Generally

As I’ve mentioned before, this is a European-based piece of legislation, but every company and nonprofit in the world will have to comply with it if they have EU-based constituents in their database. The GDPR regulates (amongst many other things) WHAT data you’re allowed to hold, HOW LONG you may hold it, and the WAYS you must communicate to your constituency their rights regarding that data. There are certain pieces of information you CANNOT hold in your database (without explicit consent), and many of them are demographic data we here in the US take for granted as being relatively harmless.

Ignorance of the law is no excuse, and fines for noncompliance will be steep: up to €20 million ($25 million) or 4% of an organization’s total revenue, whichever is greater.

If you’re unsure what GDPR is and how you should be ready, log in* to our learning media area to listen to this informative podcast with Adrian and Nicola. We’ve also included a number of useful resources with the podcast for further information.

*Registration to the Resource Library is free. It gives you access to a number of useful resources including podcasts, presentations, wealth lists, research resources, and our weekly newsletter. You will be asked for your name and email address. You may unsubscribe at any time and your information will not be retained.

By

Is Your Nonprofit Ready for GDPR?

The new EU data protection law, the General Data Protection Regulation (GDPR) comes into force on May 25th and it brings with it an entirely new set of rules that nonprofits world-wide – not just in the European Union – will have to abide by. I’m not seeing a lot of discussion about it here in the US fundraising community* and that concerns me. [Read more…]

By

International prospect research resources – United Kingdom

From a North American perspective, international prospect research just doesn’t get any better than the United Kingdom.

First of all, there’s no language barrier.

Second, the way information is gathered and distributed by commercial and governmental entities is relatively similar to ours, so navigating around information sources feels …familiar. Logical.

And third, many of the resources that provide information here in the US (like LexisNexis, Factiva, D&B, and Moody’s) also offer products and services in the UK, so there’s crossover. Some of the information we can already get through what we’ve already, well, got. [Read more…]

The Helen Brown Group LLC
Follow Us: Linkedin
617-393-1983
info@helenbrowngroup.com
Helen Brown Group